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Dear Mr. Musgrave: 

This is in response to your Freedom of Information Act (FOIA) request for a copy of 
DODIG-2015-046, '■‘Navy Commands Need to Improve Logical and Physical Controls 
Protecting SIPRNET Access Points.” We received your request on December 19, 2014, and 
assigned it case number FOIA-2015-00203. 

The Office of the Deputy Inspector General for Audit conducted a search and located one 
document, totaling 90 pages, which is responsive to your request. Upon review, we determined 
that certain redacted portions are exempt from release pursuant to 5 U.S.C. § 552 (b)(6), which 
pertains to information, the release of which would constitute a clearly unwarranted invasion of 
personal privacy; and 5 U.S.C. § 552 (b)(7)(E), which pertains to records or information 
compiled for law enforcement purposes, the release of which would disclose techniques and 
procedures for law enforcement investigations or prosecutions. 

Additionally, the Department of the Navy reviewed the report and determined that further 
redacted portions are exempt from release in accordance with 5 U.S.C. § 552 (b)(1), which 
pertains to information that is currently and properly classified pursuant to Executive Order 
13526, Section 1.4(g) (vulnerabilities or capabilities of systems, installations, infrastructures, 
projects, plans, or protection services relating to the national security). 

If you consider this response to be an adverse determination, you may submit an appeal. 
You can appeal in writing to the Department of Defense, Office of Inspector General, ATTN: 
FOIA Appellate Authority, Suite 10B24, 4800 Mark Center Drive, Alexandria, VA 22350-1500. 
Any appeal must be postmarked within 90 days of the date of this letter, must clearly state the 
adverse detennination being appealed, and should reference the file number above. We 
recommend that your appeal and its envelope both bear the notation “Freedom of Information 
Act Appeal.” For more information on appellate matters and procedures, please refer to 
32 C.F.R. Sec. 286.9(e) and 286.11(a) for further information on administrative appeals. 

You may seek dispute resolution services and assistance with your request from the DoD 
OIG FOIA Public Liaison Officer at 703-604-9785, or the Office of Government Information 
Services (OGIS) at 877-684-6448, oeis@nara.gov, or https://ogis.archives.eov/ . You may also 
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contact OGIS via regular mail at National Archives and Records Administration Office of 
Government Information Services, 8601 Adelphi Road - OGIS, College Park, MD 20740-6001. 
Please note that OGIS mediates disputes between FOIA requesters and Federal agencies as a 
non-exclusive alternative to litigation. However, OGIS does not have the authority to mediate 
requests made under the Privacy Act of 1974 (request to access one's own records). 

If you have any questions regarding this matter, please contact Searle Slutzkin at 
703-604-9775 or via email at foiarequestsrai.dodig.mil . 


Sincerely, 



Mark Dorgan 
Division Chief 

FOIA, Privacy and Civil Liberties Office 
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Mission 

Our mission is to provide independent, relevant, and timely oversight 
of the Department of Defense that supports the warfighter; promotes 
accountability, integrity, and efficiency; advises the Secretary of 
Defense and Congress; and informs the public. 


Vision 

Our vision Is to be a model oversight organization In the Federal 
Government by leading change, speaking truth, and promoting 
excellence—a diverse organization, working together as one 
professional team, recognized as leaders in our field. 
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(U) Management Comments and 
Our Response 

We renumbered two recommendations for Finding A. Generally, 
management comments addressed the specifics of our recommendations. 
However, we request that the Und ersecretary of Defense for I ntelligence; 
Commander, U.S. Cyber Command;|l|iliH||||^^^^^^^^^H 


provide additional comments in response to this report In addition, we 
received the DoD CIO comments on the draft report too late to include 
them in the flnai report Therefore, if the DoD CIO does not submit 
additional comments, we will consider those comments as the 
management response to the final report Please see the 
Recommendations Table on the back of this page. 




Visit us at www.dodig.mil 
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(U) Recommendations Table 


Management 


Recommendations 
Requiring Comment 


No Additional Comments 
Required 


Under Secretary of Defense for Intelligence 
Commander, U.S. Cyber Command 

Deputy Under Secretary of the Navy, Policy 

Department of Defense Chief 

Information Officer 

Department of the Navy Chief 

Information Officer 

Department of the Navy Deputy Chief 

Information Officer (Navy) 

Commander, U.S. Fleet Cyber 
Command/U.S. Tenth Fleet 


A.4,A.5.a, A.5.b, B.l, B.2 


A.6, A.7.a, A.7.b, A.7.C, A.S.a, 
A.8.b 


A.8.a, A.8.b 



Director, Navy Operational Designated 
Accrediting Authority 


A.g.a, A.9.C 


All.b, A.ll.d,A.ll.e 


A,6, A.7.a, A.7.b, A.7.C 


A. IO, B.4 

B. 3.a, B.3.b, B.3.C, B.3.d, B.3.e, 
B.4 

A.S.a, A.8.b 

A.7.a, A.7.b, A.7.c,A,ll.a, 
A.11.C 


(U) Please provide Management Comments by January 12,2015. 
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INSPECTOR GENERAL 
DEPARTMENT OF DEFENSE 
4800IVIARK CENTER DRIVE 
ALEXANDRIA, VIRGINIA 22350-1500 


December 10,2014 


MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE 
COMMANDER, U.S. CYBER COMMAND 
DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER 
NAVAL INSPECTOR GENERAL 

SUBJECT: Navy Commands Need to Improve Logical and Physical Controls Protecting 
SIPRNET Access Points (Report No. DODIG-2015-O46) 


(rOUOJ We are providing this report for your review and comment. 


lt>M ) 



(U) We considered management comments on a draft of this report when preparing the final 
report. DoD Directive 76S0.3 requires that recommendations be resolved promptly. Comments 
from the Under Secretary of Defense for Intelligence, and the Commander, U.S. Cyber Command 
partially addressed Recommendation A.I. Therefore, we request additional comments on this 
recommendation by January 12,2015. Comments from 

did not address Recommendation A.6. Therefore, we request additional comments on this 
recommendation by January 12, 2015. Comments from the 

partially addressed Recommendations A.9.a and A.9.c. Therefore, we 
request additional comments on these recommendations by January 12,2015. Comments from the 

partially addressed Recommendations 
A.ll.b, A.ll.d, and A.ll.e. Therefore, we request additional comments on these recommendations 
by January 12,2015. We received the DoD Chief Information Officer comments on the draft report 
too late to include them in the final report Therefore, if the DoD Chief Information Officer does not 
submit additional comments, we will consider those comments as the management response to the 
final report, 

(UJ Please send a PDF file containing your comments to|||jm^^^^J (5idudiL’.sniil.niil and 
'dig.smil.mil . Copies of your comments must have the actual signature of the 
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(U) authorizing official for your organization- We cannot accept the /Signed/ symbol in place of the 
actual signature. If you arrange to send classified documents electronically, you must send them 
over the SIPRNET. 


[U) We appreciate the courtesies extended to the staff. Please direct questions to 


at (703) 60 


(DSN 66 


or 


at (703) 60] 



(DSN32f 


(hi 
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Carol N. Gorman 
Assistant Inspector General 
Readiness and Cyber Operations 
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(U) Introduction 

(U) Objective 

[U) Our objective was to determine whether the Navy was effectively protecting its 
Secret Internet Protocol Router Network CSIPRNET) access points. Specifically, we 
reviewed the logical and physical controls protecting the SIPRNET access points at 
For Scope and Methodology, see Appendix A. 

(U) Background 

(FOUO] The SIPRNET is the Navy’s command and control* network that operates at the 
classified Secret level. SIPRNET access points are all possible physical or logical 
connections where a user can access the SIPRNET. Physical controls, such as locks, 
guards, and window blinds, deter or delay adversaries' access to the network. Logical 
controls are system-based mechanisms (for example, firewalls, permission settings, and 
usernames and passwords) used to designate who or what has access to a specific 
system or function. 

(FOUO) The Department of the Navy's (DON) shore-based enterprise network in the 
continental United States and Hawaii is the Navy Marine Corps Intranet (NMCI), 
comprising two networks, one that connects to the SIPRNET^ and one that connects to 
the Non-secure Internet Protocol Router Network, which is the unclassified network. 
The NMCI SIPRNET has: 


• (U) approximately 77,395 users; 



(CeuO)' Command and control means that the Navy uses the network to send operational orders and battle commands to 
Navy combat forces. 

(U)’The SIPRNET connects to the Defense Information Systems Network, which is the responsibility of the Defense 
Information Systems Agency. 

(U) ^ A server farm is a collection of servers that are used to route network traffic between two points: in this case, the 
SIPRNET and Navy installations. 
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(U) Naval Network Warfare Command (NNWC) is responsible for managing NMCI; 
however the network is owned and operated by Hewlett Packard Enterprise Services. 
Currently, Hewlett Packard Enterprise Services works under a continuity contract, 
which was awarded in October 2010 and Is expected to expire in September 2014. 
Contractor responsibilities Include, but are not limited to; 

• (U] conducting certification and accreditation testing in accordance with 
the DoD Information Assurance Certification and Accreditation 

Process (DIACAP) Implementation Plan and other Government-approved test 
plans; and 

• (U) defending systems by recognizing, reacting to, and responding to threats, 
vulnerabilities, and deficiencies to ensure no uncontrolled access and that all 
systems and networks can defend themselves. 



use NMCI to connect to the SIPRNET. 


(U) Information System Certification and Accreditation 


(U) DoD requires that networks be certified and accredited before connecting to the 
SIPRNET. Yvaj accredited in October 2012 in accordance with 

DoD Instruction (DoDI) 8510.01, "DoD Information Assurance Certification and 
Accreditation Process (DIACAP)," November 28,2007. For more information on 
DIACAP, see Appendix B. We focused on three DIACAP activities: validation of 
information assurance (lA) controls, certification and accreditation decisions, and 
maintaining authorization. 


(U) Validation is the testing, evaluation, examination, and investigation 
of evidence that assigned lA controls^ are implemented correctly and effectively. 




I classified 


fWWe)* We reviewed the logical and physical controls forthe Navy Marine Corps IntranetJ_ 

Transport Boundary, known genetically in this report as the^jmH SIPRNET. 

(U)‘ lA controls are applied to inlorrnation systems to achieve an acceptable level of integrity, availability, and confidentiality. 
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• (U) The certification decision is a determination of the extent to which a system 
complies with assigned lA controls. The decision is based on validation results 
that identify and assess the residual risk^ and the costs to correct or mitigate 

IA vulnerabilities as documented in the Information Technology (IT) Security 
Plan of Action and Milestones (POA&M). A certification determination is 
required before an accreditation decision. 

• (U) The accreditation decision is a formal statement by a designated accrediting 
authority regarding acceptance of the risk associated with operating a DoD 
information s}rstem. The accreditation decision is expressed as an Authorization 
to Operate (ATO), an Interim ATO, an Interim Authorization to Test, or a 
Denial of ATO. The Navy Operational Designated Accrediting Authority (ODAA) 
is the designated accrediting authority for the Navy. 

• (U) Maintaining the authorization involves the sustainment of an acceptable 
security posture. The lA controls should be reviewed annually to confirm their 
effectiveness or to recommend changes to the accreditation status. The results 
of an annual review or a major change in information assurance posture at any 
time may indicate the need for recertification and reaccreditation. 

(U) DIACAP requires that all vulnerabilities identified during lA control validation be 
corrected or mitigated, or that the risk be accepted. In addition, DoD Components are 
required to report vulnerabilities on the IT Security POA&M before granting an 
approved accreditation decision for a particular DoD network. The IT Security POA&M 
assists agencies in identllying, assessing, prioritizing, and monitoring the DoD 
network's vulnerabilities, and should include the actions performed to correct or 
mitigate the vulnerabilities. The IT Security POA&M should include the vulnerability, 
the corresponding unique lA control number, and an assigned vulnerability 
severity category (CAT): 

• (U) CAT I vulnerabilities are assigned to findings that allow primary security 
protections to be bypassed, allowing immediate access by unauthorized 
personnel and are required to be corrected before an ATO is granted. 


(U|‘Residual risk is the portion of risk remaining after security measures have been appiied. 
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• (U) CAT II vulnerabilities can lead to unauthorized system access or activity, and 
are required to be corrected or mitigated within 180 days of granting an ATO. 

If vulnerabilities are not corrected or mitigated within the specified time frame, 
the ATO becomes invalid. 

• (U) CAT III vulnerabilities may impact security posture but are not required to 
be mitigated or corrected in order for an ATO to be granted. 

(U) For more information on lA controls, see Appendix C. 

(U) Review of Internal Controls 



to the senior official responsible for internal controls at ODAA. 
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(U) Finding A 

(U) Navy Commands Did Not Effectively Protect 
SIPRNET Access Points 

SpeciGcally: 


• m 




’ Removable media is defined as compact disc, digital video disc. Secure Digital cards, tape, flash memorv data storage 
devices, MultiMediaCards, removable hard drives, etc 





























>DI(;-2ai5-lH6|6 






























(bK7HE) 


(U) “ The OSD M(‘mr>randum "Insider Treat Mitigation," was signed by the Department of Defense, Chief Information Officer 
and the Undersecretary of Defense for Intelligence; however, U.S. Cyber Command is responsible for Issuing 
additional guidance. 
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(FOUO) The Secretary of the Navy Manual 5510.36. "Department of the Navy 
Information Security Program," June 2006, needs to be updated to include current DoD 
requirements. The Manual requires that a classified information storage risk 
assessment be performed. However, after the Manual was issued, DoD issued 
DoDM 5200.01, volume 3, which includes minimum requirements that are not outlined 
in Secretary of the Navy Manual 5510.36. The Deputy Under Secretary of the Navy, 
Policy, should update DON policy to implement at least the minimum requirements for 
performing a risk assessment as required by DoDM 5200.01, volume 3. DDClOfN) 
should implement the requirements for performing a risk assessment in accordance 
with updated DON policy and DoDM 5200.01, volume 3. 


( rouo ) System Access Forms Were Not Appropriately 
Completed or Approved 






did not appropriately complete and approve network access 
forms before granting access to the SIPRNET. The Navy requires each user requesting 
system access to have a completed: 


• ( ' POUO j System Access Authorization Request Navy (SAAR-N) form in 
accordance with Navy Telecommunications Directive 10-11, "OPNAV 
Form 5239-14/System Access Authorization Request Navy (SAAR-N), 

October 2011,“ and 

• (rOUO) DD Form 2842 "Department of Defense Public Key Infrastructure (PKl) 
Certificate of Acceptance and Acknowledgement of Responsibilities"’* to 
acknowledge their responsibilities ofreceiving a SIPRNET token. 


(U) The DD Form 2842 Is used to acknowledge user acceptance of their responsibilities upon receiving their SIPRNET token. 
The DD Form 2842 requires thatthe registration official witness the user sign the document. 
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(FQUQ j) The SAAR-N is used to authorize access to DoD networks. Secretary of the 
Navy Instruction 5239.3B, "Department of the Navy information Assurance Policy," 
June 17, 2009, requires thataU authorized users of DON information systems and 
networks receive initial lA training. In addition, users should complete annual lA 
refresher training which should be noted on the SAAR-N in accordance with 
Navy Telecommunications Directive 10-11. To determine whether the SAAR-N forms 
were appropriately completed and approved, we verified that the 1AM signed the forms 
and that lA training was completed within a year of the lAM's signature. To determine 
whether the DD Form 2842 was appropriately completed and approved, we verified 
that the user and registration official signed and dated the form, and confirmed that the 
registration official witnessed the user's signature. We performed control tests of the 
SAAR-N forms and DD Forms 2842.1* 


System Access Forms Were Not Appropriately 
Completed or Approved 

(rOUO) TheyyyyiAM did not complete and approve user network access forms 
before providing users with SIPRNET access. We requested SAAR-N forms and 
DD Forms 2842 for a sample of 32 MBH personnel. ThelAM could only provide 
28 SAAR-Ns and 21 DD Forms 2842 and could not explain why the 4 SAAR-N forms and 
5 OD Forms 2842 were missing. For the other 6 missing DD Forms 2842 requested, the 
personnel had not been issued SIPRNET tokens; therefore, the form was not required. 


[rOUO) We reviewed the 28 SAAR-N forms and determined that the 1AM did not sign 
1 form. The other 27 forms were signed; however, the signature block was dated the 
day that the forms were provided to the audit team. In addition. 2 of the forms did not 
have lA training noted on the form, and 11 forms indicated that lA training was not 
completed within a year of the lAM's signature. We reviewed the 21 DD Forms 2842 
and determined that 15 forms were signed; however, the signature block was dated the 
day that the forms were provided to the audit team. When asked about witnessing the 
forms, the lAM stated that she did not witness the users sign them. 


(U) We used the control test table developed by QuanlUatlve Methods Division and published in the Council of the 
inspectors General on integrity and EHIciency, ‘Journai of PubHc Inquiry,'' 2012-2013 when performing the control tests. 
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(FOUQ j) This occurred because jiiHliB had not established policies and procedures to 
verily that the required forms for system access were appropriately completed and 
approved before providing users SIPRNET access. In addition, the|||j|||^U^^H 

1AM stated that this occurred because the^^^yiAM was 
responsible for approximately 3,000 users and did not complete, approve, and witness 
the forms as they were received. However, the^^m lAM did not adequately perform 
the duties assigned in the lAM's position description for authorizing all users SIPRNET 
access forms before granting them a SIPRNET account The Commander,^^^^^^H 

and the 

Commander, jdimil should coordinate and establish policies and procedures to verify 
that the lAM signs required documentation before providing access to the SIPRNET; and 
establish policies and procedures to review and verify that the registration official signs 
required documentation before providing users their SIPRNET tokens. 

(fOUO} HHU System Access Forms Were Not Appropriately 
Completed or Approved 

did not accurately complete two SAAR-N forms and a DD Form 2842. 

We requested and received SAAR-N forms and OD Forms 2842 fora sample of 
41^^H personnel. We reviewed the 41 SAAR-N forms and determined that 1 form 
did not document lA training on the form and another form indicated that lA training 
was not completed within a year of lAM signature, and therefore the control test failed. 
In addition, we reviewed the 41 DD Forms 2842 and determined that the registration 
ofTicial did not sign or witness the user's signature for 1 form, and therefore the control 
test failed. 

(rOUO) This occurred because^^U had not established procedures to verify 
that the required forms for system access were appropriately completed before 
providing users SIPRNET access. On May 1,2014, established a procedure for 

the^yUml Securify Department to review and verify all SAAR-N forms. should 

Implement procedures to review and verify that all DD Forms 2842 are completed 
before users gain access to the SIPRNET. 
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Security Training Records Were Incomplete 

(rOUQ) (]i(j f,Q( rnaintain evidence of security training. 

DoDM 5200.01, volume 3, requires DoD Components to maintain records of employee 
security training. Specific training required for access to classified information include: 

• [FOUO) initial orientation training on securi^ policies as required by 
DoDM 5200.01, volume 3, 

• annual refresher training on security policies, principles, and 
procedures as required by DoDM 5200.01, volume 3, and 

• [FQUO j North Atlantic Treaty Organization (NATO) briefings that discuss the 
responsibilities for protecting NATO information and a written 
acknowledgement of the individual's receipt of the briefing, as required by 
DoDM 5200.01, volume 1, "DoD Information Security Program: Overview, 
Classification, and Declassification," February 24,2012. 

ffoy&j H|||H Training Records Were Incomplete 

did not maintain evidence that personnel completed classified 
information access training. We requested evidence for completed initial orientation 
security training, annual securi^ refresher training, and NATO briefings for a sample of 
32 personnel. Tiiej||j|jH|^^^^^^| provided evidence that 16 personnel completed 
the initial orientation security training, but was unable to provide evidence that 
personnel completed the annual securi^ refresher training and the NATO briefings. 

(FOUO) did not have a process in place to ensure that personnel completed 

training and that evidence of completion is recorded before granting SIPRNET access. 
Theimmy^^^^m stated that^^^yprovides annual security refresher training 
and NATO briefings; however, he was not aware that the command needed to maintain 
evidence of security training completion. should complete required security 

trainings and implement a mechanism to identify individuals who have completed the 
required training. 
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{rOUO) lllllll Training Records Were Incomplete 

(rOUO) did not maintain evidence that personnel completed classified 

information access training. We requested evidence for completed initial orientation 
security training, annual security refresher training, and NATO briefings for a sample of 
41 personnel. provided evidence of initial orientation security training for 

39 personnel, annual security training for 31 personnel, and NATO briefings for all 
41 personnel. 

(FOUQ) For the two personnel we did not receive evidence of initial orientation 
security training; was unsure why one person did not receive initial orientation 

security training and the SecuriW Ofitcer stated that the other person was a reservist 
who was rarely at the command and the security staff overlooked the requirement. 

In addition. BMBii did not have evidence of annual securiw training for six personnel 
because they were not due for annual security training; however, four personnel were 
missing annual security refresher training because the command was changing how it 
tracked annual security training, and the new automated tracking system did not record 
the data correctly. 

(roUO) We reviewed the training records provided byjggyU and determined that 
2 of 41 personnel did not have NATO briefings signed by the presenter. This occurred 
because the presenter signed the NATO briefings at the end of the presentation and 
two of the training forms were overlooked. Aiso,|^m did not have policies and 
procedures to track completion of the required security training before granting 
SIPRNET access. should complete required security trainings and implement a 

procedure for identifying and retaining records of individuals who completed the 
required training. 










Finding A 





























(U) Recommendations, Management Comments, and 
Our Response 

(U) Renumbered Recommendations 

(U) We renumbered draft report Recommendation A.2 as A.3. We renumbered draft 
report Recommendation A.3 as A.2. 

(U) A.I. We recommend that the Under Secretary of Defense for Intelligence; 
Commander, U.S. Cyber Command; and Department of Defense Chief Information 
Officer, coordinate to review and issue clarifying guidance for the Office of the 
Secretary of Defense Memorandum "Insider Threat Mitigation," July 12, 2013, 
instructing DoD Components on the proper procedures for j 
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(U) Under Secretary of Defense for Intelligence Comments 
(FOUO 3 The Director for Defense Intelligence (Intelligence & Security), responding on 
behalf of the Under Secretary of Defense for Intelligence, neither agreed nor disagreed, 
and stated that since the memorandum was dispatched. Commander, U.S. Cyber 
Command, issued Task Order 13-0651, "Insider Threat Mitigation Amplifying 
Direction," July 31, 2013, and Task Order 14-0185, "Insider Threat Initiative,” 

July 17,2014, that provide explicit guidance to DoD Components regarding! 
mimm^^^^^m^^^^^^^^^|According to the 
collaboration with DoD CIO staff confirmed that the two task orders capture 

The Ofhce of the Under Secretary of Defense for Intelligence 
acknowledged the DoD OIG comment but requested that the draft report 
recommendation be withdrawn due to U.S. Cyber Command clarilying guidance. 
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(U) Our Response 



(U) Commander, U.S. Cyber Command Comments 

(FOUO) The Director of Operations, responding on behalf of the Commander, 

U.S. Cyber Command, neither agreed nor disagreed, and stated that U.S. Cyber 
Command Task Order 14-0185, "Insider Threat Initiative," July 17,2014, applies to 
SIPRNET and provides technical and procedural direction! 


(U) Our Response 



SECnCT 


1.1 


DliDKi , ' 
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(U) Department of Defense Chief Information 
Officer Comments 

(U) We received the DoD CiO comments on the draft report too late to include them in 
the final report. Therefore, if the DoD CIO does not submit additional comments, we 
will consider those comments as the management response to the final report. 



(U) Commander, U.5. Cyber Command Comments 

^P0Wj) The Director of Operations, responding on behalf of the Commander, 
U.S. Cyber Command, neither agreed nor disagreed, and stated that U.S. Cyber 
Command will update all applicable orders, including Communications Tasking 
Order 10*133, to direct DoD Components toj 


(U) Our Response 

(U) Comments from the Director addressed all of the specifics of the recommendation. 
No further comments are required. 
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(U) A.3. We recommend that the Deputy Under Secretary of the Navy, Policy, 
update Department of Navy policy to implement at least the minimum 
requirements for performing a risk assessment as required by 
DoD Manual 5200.01, volume 3. 


(U) Deputy Under Secretary of the Navy, Policy Comments 

(U] The Deputy Under Secretary of the Navy, Policy, agreed with the recommendation. 
The Deputy Under Secretary of the Navy, Policy, Senior Director for Security, stated that 
the Deputy Under Secretary of the Navy, Policy, is updating the Secretary of the Navy 
Manual 5510.36, "Department of the Navy Information Security Program," June 2006. 
The expected timeline for completion of the draft is the end of FY 2015. 


(U) Our Response 

(U) Comments from the Senior Director addressed all of the specifics of the 
recommendation. No further comments are required. 


(U) A.4. We recommend that the Department of the Navy Chief Information 
Officer and Department of the Navy Deputy Chief Information Officer (Navy), 
coordinate to implement requirements from DoD Instruction 8500.01, 
"Cybersecurity," March 14, 2014, including all links, references, and attachments. 



(Uj Department of the Navy Chief Information 
Officer Comments 

(FOUO) The Principal Deputy CIO, responding on behalf of the Department of the 
Navy CIO, agreed with the recommendation. The Principal Deputy CIO stated that the 
DON CIO has already begun coordinating the Department's transition to the revised 
DoD Cybersecurity and Risk Management Framework instructions, including 
DoD Instruction 8500.01 "Cybersecurity," March 14,2014. The DON CIO issued a 
memorandum, "Implementation of the DoD Risk Management Framework for 
Information Technology (IT)," on May 20,2014, providing guidance to the Navy and 
Marine Corps to transition to the DoD Risk Management Framework. In addition, the 
DON CIO is working with the DON Deputy CIO (Navy) to develop the Navy's Risk 
Management Framework implementation plan. 
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(U) Our Response 

(U) Comments from the Principal Deputy CIO addressed ail of the specifics of the 
recommendation. No further comments are required. 

(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

(PQUO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 
responding on behalf of the DDCIO(N), neither agreed nor disagreed, and stated that the 
DDCIO(N) continues to coordinate with the DON CIO, U.S. Fleet Cyber 
Command/lI.S. Tenth Fleet, and applicable Echelon II commands on the transition to the 
revised DoD Cybersecurity and Risk Management Framework to ensure Navy 
implements DoD Instruction 8500.01 and DoD Instruction 8510.01 requirements, 
including all links, references, attachments, In addition, 

the DDCIO(N) hosted a Risk Management Framework implementation working group 
on October 21-23,2014 to review the Nav/s Risk Management Framework 
transition plan. 

(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 

(U) Deputy Under Secretary of the Navy, Poiicy Comments 

(U) Although not required to comment, the Deputy Under Secretary of the Navy, Policy, 
suggested including the Deputy Under Secretary of the Navy, Policy, in the coordination 
for recommendation A.4. 

(U) Our Response 

(U) We fully support coordination between the Navy Components; however, our 
recommendation was directed to the parties responsible for implementing Navy policy. 
Therefore, we did not change the recommendation to include coordination with the 
Deputy Under Secretaiy of the Navy, Policy. 
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(U) A.S. We recommend that the Department of the Navy Deputy Chief 
Information Officer (Navy): 

a. (rOUO) Review the deficiencies identifled, have a thorough review of 
the Navy Marine Corps Intranet Secret Internet Protocol Router 
Network security controls performed at each command, and apply 
corrective actions as necessary. 

(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

^00} The Assistant Deputy Chief of Naval Operations, Information Dominance, 
responding on behalfof the DDCI0(N), neither agreed nor disagreed, and stated that the 
DDCI0(N} has directed U.S. Fleet Cyber Command/U.S. Tenth Fleet ODAA to review the 
NMCl SIPRNET security controls enterprise-wide. The review will consist of the 
following stakeholders: Site/Command lAM, Naval Enterprise Networks, Program 
Management Office, U.S. Fleet Cyber Command/U.S. Tenth Fleet Network Operations, 
and the ODAA, who will coordinate to ensure the results and corrective actions are used 
to determine the impact of The coordination 

with stakeholders will take place no later than November 15, 2014. 

(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 

b. (FOUQ) Implement the requirements for performing a risk assessment 
in accordance with updated Department of Navy policy and 

DoD S200.01, volume 3. 


(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 


(FOUO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 
responding on behalf of the DDCI0(N), neither agreed nor disagreed, and stated that the 
has 

The Site/Command 1AM and Naval Enterprise Networks, Program 
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A.6. We recommend that the 


that review, the 


neither agreed nor disagreed, and stated that the supervision 


and accountability of 
Officer resides with the 


Information Assurance 


Officer resides with Commanding Ofhcer. 

Information Assurance Ofhcer no longer 
provides Information Assurance services The|j|jjjWfflD|H^^H 

provides services for all SIPRNET account requests, 
SAAR-N compliance, and token requests. 
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(FOUO) Management Office will work to implement the requirements in accordance 
with DoD 5200.01, Volume 3, and transmit information to the ODAA, who will use the 

The 

estimated timeline for this action is no later than November 15,2014. A risk 
assessment is part of the physical security control assessment required for system 
accreditation under DoD Instruction 8510.01 and forthcoming Secretary of the Navy 
and Chief of Naval Operations guidance. Chief of Naval Operations Instruction 5239.1D 
is expected to be published by January 31,2015. 


(U) Our Response 

(U) Comments from the AssistantDeputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 












(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance did not address the specifics of the recommendation. The 

did not comment on the review of the I AM 
actions and the corresponding management actions taken for holding the lAM 
accountable. Therefore, we request the 

provide comments in response to the final report. 


(U) A.7. We recommend that 



neither agreed nor disagreed, and stated that 

no longer 
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(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



a. (U) Review the alignment of the Information Assurance 
Manager function, determine if realignment is necessary for 
effective supervision, and establish policy that assigns 
supervisory responsibility. 


(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 


(FQUQ) The Assistant Deputy Chief of Naval Operations, Information Dominance, 
responding on behalfofthel 



neither agreed nor disagreed, and stated thatgUmUno longer receives lA services 

Supervision and accountability of| 
llnformation Assurance Officer resides with the 
I Commanding Officer. 
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(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. As discussed in the 
comments and response to Recommendation A.7, 

supervisory responsibility for the^^^yinformation 
Assurance Officer. A Memorandum of Agreement between 

discussing the supervision 

responsibilities for the^^^^lnformation Assurance Officer, was provided. We 
reviewed the Memorandum of Agreement and determined that it meets the intent of the 
recommendation. No further comments are required. 

b. (U) Establish and implement performance standards and standard 
operating procedures for the Information Assurance Manager 
function, and monitor and evaluate the Information Assurance 
Managers' performance. 

(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

The Assistant Deputy Chief of Naval Operations, Information Dominance, 
on behalf of 



neither agreed nor disagreed, and stated that the DDCIO(N) will request that 
Chief of Naval Operations personnel to 

provide documentation that they have implemented performance standards and 
standard operating procedures for the lAM no later than November 30,2014. 

(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



GCCRLT 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 


(FOUO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 

on behalfof neit 

agreed nor disagreed, and stated that lAM 

conducts the! 
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|. The Deputy Chief of Naval Operations (N2/N6) will direct U.S. Fleet 
Forces Command/Tenth Fleet to provide documentation ofj 
within the past 6 months. 


(U) Our Response 

(FOUO) Comments from the Assistant Deputy Chief of Naval Operations, Information 


'^Hl t 


Dominance partially addressed the recommendation. We request that 
comments to the final report that explicitly state whether a 
been performed within the past 6 months or If one has not been performed, a 
I should be performed immediately. 


provid' 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 


^WO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 

on behalf neither 

agreed nor disagreed, and stated that the 



(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 


c. (POUQ ) Complete required security trainings and develop and 
implement a mechanism for identifying individuals who complete 
required securify training. 


(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

(FOUQ) The Assistant Deputy Chief of Naval Operations, Information Dominance, 

neither agreed nor disagreed, and stated that initial security training is conducted 
when military, civilian, and contractor personnel report onboard and is documented 
in security files. Annual security refresher training is conducted and documented as 
required by current instructions. 


(U) Our Response 

(U] Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance partially addressed the recommendation. We request that^^y ofhcials 
provide comments to the final report that describe the mechanism that will be used to 
identify individuals-who complete the required security training. 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(Uj Our Response 

CU) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

(FOUO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 
responding on behalf of 
neither agreed nor disagreed, and stated that^^^l has corrected dehciencies with its 
secure room in a manner compliant with DoDM 5200.01, Volume 3, ensuring 
continuous monitoring during working hours when the secure door is unlocked. 
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(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 


yOUO] Comments from the Assistant Deputy Chief of Naval Operations, Information 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

(ipOUQ) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 
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(U) Our Response 

(FO'.'ffj Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance partially addressed the recommendation. We request thaty^j^^provide 
additional comments that describe the procedures for performing risk assessments in 
response to the final report. 

e. (rOUO) Complete required security training and develop and 

implement a mechanism to identify individuals who complete required 
security training. 

(U) Assistant Deputy Chief of Naval Operations, information 
Dominance Comments 

[rOUO) The Assistant Deputy Chief of Naval Operations, Information Dominance, 

neither agreed nor disagreed, and stated that will conduct a physical security 

training audit, identify deficiencies, and conduct required training no later than 
November 15,2014. Proof of training completion will be reported toy^yQ 

The Chief of Naval Operations [N2/N6] will request that 
Commander, Navy Reserve Forces Command provide documentation of the^^^y 
physical security training audit no later than November 30,2014. 

(U) Our Response 

frOUO) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance partially addressed the recommendation. We request that|yy|y officials 
provide additional comments that address all security training not just physical security 
training. Also, provide comments that describe the mechanism, which should be of a 
recurring nature, that will be used to identify individuals who complete the required 
security training in response to the final report. 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 

( ■ f S W S ) Although not required to comment, the Assistant Deputy Chief of Naval 
Operations, Information Dominance, responding on behalf of the|j|jjjH||^^^^^H 

stated 


(U) Our Response 

(U) Although the comments from the Assistant Deputy Chief of Naval Operations, 

I nformation Dominance do not directly address any recommendation, we agree with 

in accordance with DODI 8500.01, "Cybersecurity," March 14, 2014. 
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(U) Finding B 












(FQUQ) 





(U) “vulnerabilities are also known as security weaknesses. 
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[FOUO) During the audit, DoD issued updated policy for the certification and 
accreditation of systems, DoDl 8510.01, "Risk Management Framework (RMF) for DoD 
Information Technology (IT)," March 12,2014. According to DoDI 8510.01, DoD 
Components should transition to the updated policy requirements when reaccreditation 
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(FOUO) 



(U) The Readiness Inspection results were presented b 
POA&M 

(U) The Validation Plan and Procedures and Risk Assessment Reports are Internallv generated documents that Identify 
vulnerabilities and their associated severity CAT. 
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(U) "A cross-domain solution Is an information assurance solution that provides the abilitv to access or transfer data betureen 
two or more differing security domains, and can be authorized forno more than one yearfrom the date of approval. Domains 
include a set of system resources and a set of system entities that have the right to access the resources as defined by a 
common security policy, security model, or security ardritecture. 
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Finding B 
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(F0U9) Table 2. 
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(U) * Time lapsed before DISA approval refers to the time between when the configuration change 
was implemented and when OISA issued the Authority to Connect. 

(U) •* Intrusion detection system 



(U) ” Enclaves are a collection of Information systems connected by one or more internal networks under the control of a 
single authority and security policy. 
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(U] According to DISA, "Network Infrastructure Technology Overview," version 8, 
release 5, April 27,2012, enabled tunnels should be identified on the network topology. 
In addition, according to the DISN Connection Process Guide, the network topology is 
required to show the accreditation boundaries, identify cross-domain solution, and 
identify any connections to other networks to include the name of the organization that 
owns the enclave, the connection t)rpe, internet protocol addresses for all devices within 
the enclave, and the organization type. 



(U) ” Accreditation boundaiy refers to the physical or logicai boundary that is defined for a system, domain, or enciave. The 
system hasaconceptuaiboundary that extends to ail intended users of the system, both directly and Indirectly connected. 
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(U) Recommendations, Management Comments, and 
Our Response 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 
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(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 

(U) B.3. We recommend that the Director, Navy Operational Designated 
Accrediting Authority: 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

(U] Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 
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(U) Our Response 

(U) Comments from the Assistant DepuQ' Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 


(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance did not address the specifics of the recommendation. However, as 



further comments are required. 



(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

(U) Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 
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(U) Assistant Deputy Chief of Naval Operations, Information 
Dominance Comments 



(U) Our Response 

CU] Comments from the Assistant Deputy Chief of Naval Operations, Information 
Dominance addressed all of the specifics of the recommendation. No further comments 
are required. 
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(U) Appendix A 

(U) Scope and Methodology 

[U) We conducted this performance audit from April 2013 through September 2014 in 
accordance with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 

(U) We performed the audit to determine whether the Navy was effectively protecting 
access points. 


The commands 


chosen represented various types of access points, Sensitive Compartmented 
information Facility, Open Secret Storage, and Secure Room as designated by the 
U.S. Navy. 



For more information on certification 


and accreditation activities, see Appendix B. 


(U) During our review, we interviewed DoD and Navy component personnel. We 
interviewed personnel at the Under Secretary of Defense for Intelligence, DoD CIO, and 
U.S. Cyber Command concerning the write privilege criteria. We interviewed personnel 
at DDC10(Nj to discuss SIPRNET access points, and open NMCl vulnerabilities. At the 

we 

interviewed personnel; obtained, reviewed, and anal 3 ^ed policies; obtained, reviewed. 



, i". I 















gcGR e^ 


Appt'nfli-.r- 


(U) and analyzed network access and privilege processes; and obtained, reviewed, and 
analyzed network settings. we interviewed personnel; obtained, 

reviewed, and analyzed physical security, logical security, user authentication, 
personnel access, classified information protection, visitor access, and classiRed 
information technology disposal policies and procedures; and observed physical 
security for SIPRNET access points. 

(U] In addition, we performed control tests for the SAAR-N forms, DD Forms 2842, and 
security training forms. 



The following decision rules applied for our control 
tests: if there were no errors in the sample, then the control passes, and if there were 
one or more errors, then the control fails. We used the control test table developed by 
Quantitative Methods Division and published in the Council of the Inspectors General on 
Integrity and Efficiency, "|ournal of Public Inquiry," 2012-2013 when performing the 
control tests. 



(U) Use of Computer-Processed Data 
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(U) Use of Technical Assistance 

(U) We obtained support from the DoD Office of the Inspector General Quantitative 
Methods Division in developing a statistical sample for review. We obtained support 
from the DoD Office of the Inspector General Information Systems Directorate for 
defining SIPRNET access points. 

(U) Prior Coverage 

(U) During the last 5 years, the Naval Audit Service issued one report discussing 
security guidance for certification and accreditation. 

(U) Navy Audit Service 

(U) N2012-0070, "Navy Compliance with Department of Defense Information Assurance 
Certification and Accreditation Process," September 28, 2012 
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(U) Appendix B 

(U) DoD Information Assurance Certification and 
Accreditation Process 

(U) The DIACAP establishes a process to certify and accredit DoD information systems 
based on the implementation of lA controls. DIACAP applies to alt DoD-owned and 
controlled information systems and consists of five activities; 

• (U) Activity 1: Initiate Certification and Accreditation — includes registering 
the system with the appropriate DoD Component, assigning lA controls to 
the information system, and initiating the DIACAP Implementation Plan. 
Each assigned control is implemented according to the applicable 
implementation guidelines provided in the DIACAP. 

• (U) Activity 2: Implement and Validate lA Controls — includes executing the 
DIACAP Implementation Plan, conducting validation activities, preparing the 
IT Security POA&M, and compiling validation results In the DIACAP 
Scorecard. The status of each assigned lA control is indicated on the 
DIACAP Scorecard as compliant, noncompliant, or not applicable. 

• (U) Actlvi^ 3: Make Certification Determination and Accreditation 
Decision — includes determining whether to certify and accredit a DoD 
information system. Each information system has a certifying authority, 
who bases the certification decision on lA validation results, and a 
designated accrediting authority, who bases the accreditation decision 

on a balance of mission or business need and protection of the information 
being processed. 
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(U) Activity 4: Maintain Authorization — involves the sustainment of 
acceptable lA posture. The lA controls should be reviewed annually to 
confirm the effectiveness of the assigned lA controls or to recommend 
changes to the accreditation status. A designated accrediting authority may 
downgrade or revoke an accreditation decision at any time if risk conditions 
or concerns develop from the reviews. The results of an annual review or a 
major change in information assurance posture at any time may indicate the 
need for recertification and reaccreditation. 

[U] Activity S: Decommissioning — focuses on removing DoD information 
system from operation. 
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(U) Appendix C 

(U) Information Assurance Controls 

(U3 According to DoDl 8500.2, "Information Assurance CIA) Implementation," 

February 6,2003, lA controls are an objective condition of the integrity, availability, or 
confidentiality of the information system achieved through the application of specific 
safeguards or through the regulation of specific activities. There are eight broad lA 
control subject areas: 

■ (U) Security Design and Configuration, abbreviated DC; 

• (U) Identification and Authentication, abbreviated lA; 

• (U) Enclave and Computing Environment, abbreviated EC; 

• CU) Enclave Boundary Defense, abbreviated EB; 

• CH) Physical and Environmental, abbreviated PE; 

• (U) Personnel, abbreviated PR; 

• (U) Continuity, abbreviated CO; and 

• CU) Vulnerability and Incident Management, abbreviated VI. 

CU) Each lA control is assigned a control number that designates the control’s subject 
area and name. The control numbers consist of four letters, a dash, and a number. 

The first two letters designate the subject area and the second two letters designate the 
control name. The number represents a level of robustness of the 1A control in 
ascending order, with one being the least robust and a three being the most robust. 

See Table 1 for a description of the lA controls discussed in our report including the 
control number and the corresponding subject areas and control names. 
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(FOUO) Table C.l. Information Assurance Controls 
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Control 

Number Subject Area Control Name 
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(U) Appendix D 



(U) CAT I vulnerabilities are the most critical and are required to be corrected before an ATO Is granted. CAT II vulnerabilities 
can lead to unauthorized system access or activcty, and are required to be corrected or mitigated within 19 ) days of 
granting an ATO. If vulnerabilities are not corrected or mitigated within the specified time frame, the ATO becomes Invalid. 
CAT III vulnerabilities may Impact security posture but are rtot required to be mitigated or corrected in order for an ATO 
to be granted. 
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(U] Appendix E 
(U) Criteria 

(U) We used the following guidance throughout the audit. 

(U) National Security Telecommunications and Information 
Systems Security Committee 

[U] National Security Telecommunications and Information Systems Security 
Instruction 7003, "Protected Distribution Systems," December 13,1996, outlines 
the approval authority, standards, and guidance for PDS design, installation, 
and maintenance. 

(U) Office of the Secretary of Defense 

CU) Office of the Secretary of Defense Memorandum "Insider Threat Mitigation," 

July 12, 2013, provides information protection and insider threat mitigation procedures 
to be implemented by all DoD Components. 

(U) Chairman of the Joint Chiefs of Staff 

(U) Chairman of the Joints Chiefs of Staff Instruction 6211.02D, "Defense Information 
Systems Network (DISN) Responsibilities," Jan 24,2012, establishes policy and 
responsibilities for the connection of information systems and unified capabilities 
products to the DISN-provided transport and access to information services transmitted 
over the DISN. 

(U) DoD 

(U) DoDI 8500.2, "Information Assurance (lA) Implementation," February 6,2003, 
implements policy, assigns responsibilities, and prescribes procedures for applying 
integrated, layered protection of the DoD information systems and networks. 

(U) DoDI 8510.01, "DoD information Assurance Certification and Accreditation 
Process [DIACAPJ," November 28,2007, establishes a certification and accreditation 
process to manage the implementation of lA capabilities and services and provide 
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(U) visibility of accreditation decisions regarding the operation of DoD information 
systems, including tflre enterprise services and Web service-based software systems 
and applications. 111 , ij 

(U) DoDi 8510.01, “ Risk Management Framework (RMP) for DoD Information 
Technology (IT)," March 12,2014, provides procedural guidance for the reciprocal 
acceptance of authorization decisions and arti^cts within DoD, and between DoD and 
other Federal agencies, for the authorization and connection of information systems. 

(U) DoDM 5200.01, volume 1, "DoD Information Security Program: Overview, 
Classification, and DeclassiHcation," February 24,2012, implements policy, assigns 
responsibilities, and provides procedures for the designation, marking, protection, and 
dissemination of controlled unclassified information and classified information, 
including information categorized as collateral, sensitive compartmented information, 
and Special Access Program. 

(U) DoDM 5200.01, volume 3, "DoD Information Security Program: Protection of 
Classified Information,” March 19,2013, provides guidance for safeguarding, storing, 
destroying, transmitting, and transporting classified Information and also identifies 
security education and training requirements and processes for handling of security 
violations and compromise of classified information. 

(U) U.S. Cyber Command 


(i’OUO) U.S. Cyber Command Communications Tasking Order 10-133, "Protection of 
Classified Information on DoD Secret Internet Protocol Router Network (SIPRNet) 



(U) Navy 

(U) Secretary of the Navy Instruction 5239.3B, "Department of the Navy Information 
Assurance Policy," June 17, 2009, establishes lA policy for the DON consistent with 
national and DoD policies. 
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(U] Secretary of the Navy Manual 5510.36, "Department of the Navy Information 
Security Program," June 2006, establishes uniform policies and procedures for 
classifying, safeguarding, transmitting, and destroying classified information, 
tn addition, the manual provides guidance on securi^ education and the industrial 
security program. 

[U) DON, "DoD Information Assurance Certification and Accreditation Process (DIACAP) 
Handbook," version 1, July 15,2008, details the baseline DON approach to the DIACAP 
and the procedures necessary to obtain an accreditation decision for DON information 
systems undergoing the certification and accreditation actions as required under 
Federal law, DoD and DON regulations and directives. 

CU} Navy Telecommunications Directive 10-11, "OPNAV Form 5239-14/System Access 
Authorization Request Navy (SAAR-N)," October 2011, requires all users accessing 
Navy IT resources to sign a SAAR-N form and complete DoD Annual lA training. 

(U) Defense Information Systems Agency 

(U) DISA, "Defense Information Systems Network (DISN) Connection Process 
Guide (CPC)," version 4.2, January 2013, establishes, manages, maintains, and 
promulgates a partner connection process guide describing steps that must be. 
followed to request and implement a DISN connection. 

(U] DISA, "Network Infrastructure Technology Overview," version 8, release 5, 

April 27,2012, provides security considerations at the network level needed for an 
acceptable level of risk for information as it is transmitted throughout the enclave. 


occncT 



gCCRCT 


M.iiiiigeniwtn Cominenis 


(U) Management Comments 


(U) Under Secretary of Defense for Intelligence 

Final Iteport 
Reference 



1 ' N c'l. As.sf r I r I vffTvn 

OFFICE OF THE UNDER eSCRETARY OF DEFCNBB 
WOO OtFINU FUTTAAOH 
WAfHiMOtON. OC WMIWO 


cicr 2 3 m 


MFXfOHANIHJM KUR INSPFCTOROeNERAl OF THT DFFARTMFNTOf 0£FT.NSF 
lATTN; PROORAMDlRFX'mR.MrAOISTSSAKOCYBKR 
OFIRAIKISS) 

SUBJkCT: DftA DoOlotjRviiK OcACfit R«i(Mi.'’NA«yC4>fi«niiite Ncedto )rd|Wo\c 

LotP*^al and Ph^Mcat ComioN ISoMcluy MIPKNI-1 Acccii Foiiiti,*' (rroRil No. 

inUl 3 0UOOIC4l4I.OOn) 



(T n (H VIXI ) alw rrvicvwo clMificalMn and |«in«m ioflrk» iM#Hn iRe dnR rrp>4i A» 
MNd a> TAR F, IVM ^Artion fojun< ifnvt n|trod« r«Mi> Samt lo 1 MkavlA(d. Otf 

of «n(tuct 


MM Hlcpn^ 

Omccm fot Uokma loidiiicncc 
(lnMlll|c«ncv A .Sctanl)) 

AlUchmanu. 

As siacad 

U.HC LA Vf I FI 


Omltied attachments 
because of length. 
Copies provided 
upon request. 




iill%.<Mr>| Ml 




CBCRGT 


MiXiuiiumum .. 


(U) U.S. Cyber Command 


Final Kepnil 
Refeivnce 


U NC l ASSlFt€ 

DBPARTMOlT Of OEfeMC 
vanti> turM ctma eotfuu » 


77nri<ilv*1flU 

Rfply M* 

USCYBI:RC0M/J3 

9t0O MVAnr Rn. 6477 

E0R1 UKOnOK Q. MRAnE. hlAR YI.AND 36755 


MkMORANDirM 4(>KTMf. INSPI C ltM (H:M.RAI..1)KPAR1MEN‘I Of 


SUKJECI: {Of HvWvwof ilaMfictf Onit Mt|iQn "Mv) 1 «i«iviiMi| in l^cal 

«i»d CciiMiwIf S>I*KN1: T IMuli'ihttfcvt Nuniba 0301 )*4KKI0LC* 

«l 4 i.P 00 » 

I. (WMV#) Kffganftni ihc iHvKcoiiimriidvloni ioi LSCVekKCOM lo i64ris. i «0cf iM 

follml.iii bifginNilMn: 

• (II) RfciwnmcnYtliAn A.1: 



• (U> Rc<oiiiiiKnda6Mi A.): 




Rtnumbvred «i 
Recommendation A.2. 


S 6 fin#F 






GCCRCT 


Mnna^umem (.uinnuju' • 


(U) U.S. Cyber Command (conf d) 


Final Repoil 
Keferenve 


4 <(■) llri.‘S(-VBMtCOkll>OCr«iUiani«>l>^^H 

Qp>.TJtliina(J3r). 0|irrj:iiiinft HfniMHi ])iiia‘on.| 


Il'srVlll’KCXiM r»nn 


*Oif > 

CtpcrauoM 


AUad«iitfnU: 

kivlowr«A:<Ur lAKKORD MOIU: hm^n I72>4?Z Jli.U 

KiwIwutfR. (11) ISCTHkHCtm WuWAf <«•*#«•»> 


Omitted aiHchmenis 
beauwol length. 
Copies provided 
upon request. 


i.NC ASStrtep//p 


OCCRET 






M.tii8<'HrrKiu (.It .nu'iii 


OCCRGT 


(U) Deputy Under Secretary of the Navy 



THE DEPUTY UHOe« SEOBETAHY OF THE MAVY 
w»«MitiOTOti ae joMO-i«o« 

ElOCTJOH 


MrMdHANDliMroKDCPAKrMP-XfOfREFE-SSF.OFFlCROF THE 

INSPEC1X)R OF.NBKAL 

SUBnWT; Dcpwimeni of Defense OIW« of ih< Inipeelor (knccol Repon on ^tavy 
Commini* Serf a> Impiovc Logial inil Physical Cooliols JYoiKttag 
SITBNKT Access Poi« 

Rofeicnee: (alDnDlOemaltnfJiBepiZOH 

As mucsied In lefeonee (n). tny ofBco reviewed ihe Ucpaiwew of D^nie 
Oltiee of Impeclot Ocncjil tepon and coneuts wife wmenenls. A securtl)' "^'"8 
review was cwdiicied on commcmi submlKed and ddetmined lo be unelassifiod. 

Oucslleos anardinc feis wvtw and auachwl may bo addressed 


lodiiHone 




AUBchinenl: 

AssUled 


OGCRET 




OCCRCT 




(U) Deputy Under Secretary of the Navy (cont'd) 


UMLAMineO 




.WN».>ai W«w»tS«N»* 


1 1 1 

i 1 tl«M 1 KXXMi.AM*. 1 

1 1 «V0*4M 1 

PI 

n— 

r ;—1 


•r ••• rv^a> >' 


(VWV*> ?!«»««** t WK »«Jk 


i 


tlMM to • •«** M « 

wiiMrtmi 


'teM MtaAs I «|m 4 *««■■* w 

V^bu khU«0tA«h 


IW MA »MtM A« 


i'^l< M Mr JArgil W ; t W»^ 'A Jl >. 

AtiA«* Im «<«** **»* 


•• Acmv K DO* MM. 

dOCAriH^<«ivi«. 


Oiftlninr fmo^vwmiVW 


ANAMAaIM f *K^hM IMf 


MitwiiiSmuuuu^' 


gUCU^ttfVO 


ocGft e y 


l.llllUllHItt 










































OCCRCT 


Moii'iKt'iKi'lli (li’hiilti'Ml* 


(U) Department of the Navy Chief Information Officer 



MNMTHBrr OF D* NAVY 

orrccvwcHK/MrgiHAnONafnciB 
IMFWVTWim* 
•MMOTat K IMM«H 


TlllMoMrTllH 


MtAltMCAMUUM l-OK UtFAK IMHK rUF IIIU-I^Na': imFlX'IUK Ul M'KAI. 

SI11I>I<FT* N*ii%}<'rrr.mi«ri«SriillnIfnpnn'.rln2inilintrhy^Fiiir<Mnil«PnvKIir|; fdFSM'T 
Aociu FFfMC 

Kcf<.«MC [«}: lJnl> ICI MmuaMim rr.Stplanbei 32. Niv» L^MWinlf Nm4 ■» 

lavnm; IVKcUim3ll*ttNI!T Auos ISmifi 


(111 RcCocMV (sllCitcyaluaNlIRt* nil tclwiw (Cpnli v ltU«HHKMlllll‘lU» IHKMSlIol ill (In 
ticroiincnl of IWIiniiF Intpccw l<<nnl 1U) Navy COMnaiiOiSarf U tny-'ovo 

LofImI naJ I'I.vmciI CuMioli I’n'twlioaSIFR'Iin'Anml'olMi.'' iPMan No- lUOIJ-iWlKlC- 
I»a?.inuj. KnvmniirnlJiimA.FiifilM-qmlWMiainvdlnilirlX-iiintrMnrilKNMyOiM' 
UkiwdM OlRni (DON C'10> 


fFM*n) llialX)N(Ifllu>Kv<c>MdMit«oi<eM>o>tliKf«n<ncml>ilaiiA.4,lkalilw i>i>'>(.Kl 
andliuDDN Ujbjiv 1-TQ “icmnUmk fci nirlcein mM i l i ut mi (Kini ndi tnW'i tiii'ii 
rnkSL^USuSaHk^i-Hi 14.3ni< liwlailiv all Fat >. lafcima. ami arrrhrir-n ..UHIWBIIUI 


(ll)T7iL- IAIN trio haa olnody WfaacmnlioMiaf UttOcyadmcnri liMialiMi lo Hit RViiad IMJI 
CyKmooiity anj Hide .Maaajitnicfii FMiatmiM2(ltMF)lna!nNlluRa.iKlt4llnH lliilll KQillll. A lUIN 

frTOmoimmliiir «f May 10 . r* 0 l 4 . ‘irifilMnuartan rf Hr linliKKi Mantcniwiu ■'nwwwaik iKMK) 
■or InliimiatHinTeolmrInyyIlT)" yioiaiiicd yu-Hvacc ^ Navy aad Marina (W.vilfr.nriiianlolhi; Dal) 
ItMl'. AiklLlublly. lii oi.viirg cuDifHiiii.:a wjdi lAH) onj OfM (V1iBiavi.oiHy and RSIF iti|4iiaiiiailv 
lt« UONt'IO ■» ovMlitin wall Ur lAjN IV|>iay flO (Naiy) bi Ox ilc vcIOTmni: of llw Wavy »AMI- 
iKipkiwiaalino'plia 



IkputiMnlofllic FOivy 

HrinHial l>a|Wlyf'Mr'llllllfllMHlMI>l1ln<> 


occncT 


• <iiiiiii<Jiii;,<iil<)|rr 




GCCrtCT 


Mjiiafic'ineiu CoinnifiUs 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance 


OtfAmMMT OF THC NAVY 
V T»B ow or mmml ofoutioio 
laio uw moMOM 
ml—otootOcmw w 

S00« 

Sor H2M«/«811913» 
3P (MC 14 

Aoslotont Dipucy Chlet o( Koval oparatlooi, Infonuitlon 
Qonlnanee (M/MBI 

MpartBonc oC Dofanso inopoccor Oaiwral (DOD lO) 

HAW XISFOHSB TO DOU 19 PMtJBCT MO. 

D>011>OOODLC-0142.0{IO 

<11 
121 
<}) 

14) 

I» 

(«1 
(71 
(ai 
(t) 

(10 
111 
11 } 

11) 

114 
(U 
114 

1. Par r4(*T4ne« (a), the tolloving eoMenea are provldadi 


3. (0) aoeoatnd atlon A.4 




DonUi ft>» * 



Pro«( 
TDI 
Subj t 

Bncli 


OCCRCT 


b(iiii<j-2ais-(i4ij|6T 



SECRC - T 


Management CummeiHs 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 

Final Report 
Reference 



J. tu) «»efl—«nOaclon K.% 



Omitled altachments 
because of length. 
Copies provided 
upon request. 


Omitted attachments 

because of length. 

Copies provided 
upon request. 


A. lUI Mcoanendaclon k.< 


Omitted attachments 
becauK of length. 
Copies provided 
upon request. 


GECnET 


Dlll)IG-2Ut''.-(Hu|fi« 




Management Comniriils 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 

Klnal Kepnrt 
Kefel'ence 


□miu«dd((achin»ms 
bacaussof length. 
Copies provided 
upon request. 





UI)IJI(.-201S-n4h|6‘^ 




OCCRCT 


Manj(;<'iuenl Coinincnls 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 

l-'lnul Rrp»it 
Rcfcrciu'c 


(FTTmrTFiiT^TTT 



U) w\ Mv|«v fcM ot th* IKi iua«Uon. 

r*«ll<rnA«nt In n«c«fMry fov •ff«eciv* lup^rvlv^en, 
ABd AiCAbIlih pdliey thar. attaifna auparviaory rMi^onaib&Usy. 



e. <U| Taak. satabliah and 1ai(>lMwnr. pArfopunea otandardo 
and atanttard oparaiing procadurea for tha Infataatlen Aaauxanca 
Hanagar Cynction, and vonltor and avaltaaea eba ineormaclaa 
Aaauraaoa Kanagara' partamanca. 



1. (01 tocoam ndation li.S 



Omitted aitachments 
because of length. 
Copies provided 
upon request. 


Omitted aitachments 
because of length. 
Copies provided 
upon request. 


Omitted attachments 
because of length. 
Copies provided 
upon request. 



yECRBT 


OODI'i .;iJ!.S tl'}D|70 


GCCRCT 


Mniiai'ement Coinincnis 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 


Finn! Kepoii 
RefeiYucr 



I. W) MeoM—Mfttton A.U 

• Hi 



I. M floi>mi>4atlcti ».i i 

. T*«k. 





Omitted stlachmenK 
beuuie of length. 

I Coplet provided 
I uponrequeil. 


I Omiued sttachmenti 
j because of length, 
j Copies provided 
I upon reauest. 


HiaciuiST 


SGCRET 


OUDi(.-il)!1-04b| /I 



SCCRCT 


Maiiagemenl Comments 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 



OECnCT 


[Kii)n;-2ois-n46|72 



CGGflGT 


M.magemPiit Conimeiils 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 


Final Report 
Rcrei'cncc 



11, IV) Mcoi<ai«nd«tton B- a 
TmI- 



13 . (U) ll«eeaBi«na»cl oi> B.i 

a. lul Talk. 


Omitted attachmenti 
because of length. 
Copies provided 
upoit reciuest. 


Omiiied attachments 
bKause of length. 
Copies provided 
upon request. 


SGGRBT 


U()l>iG-2(JIS-ll46|V.f 





SGCRGT 


Management Comments 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 


Fliinl Report 
Reference 



Omliced attachments 
because of length. 
Copies provided 
upon request. 


Omitted attachments 
because of length. 
Copies provided 
upon request. 


GCCRCT 


i)()i)i(>-;tuis-u4r>|74 




CGCnGT 


M.ina^oniL’nl Coinments 


(U) Assistant Deputy Chief of Naval Operations, 
Information Dominance (cont'd) 

Fiiinl Report 
Reference 



t). >.4 



Cppy toi 

P02f CIO VASH2KOTOM DC 


Omitted attachments 
because of length. 
Cofries provideci 
upon request. 


'''iiiit;-,?i)I I' ' 


gCCRCT 






(U) Glossary 


[U} Accreditation Decision. A formal statement by a designated accrediting 
authority regarding acceptance of the risk associated with operating a DoD 
information system and expressed as an ATO, Interim ATO, Interim Authorization to 
Test, or Denial of ATO. The accreditation decision may be issued in hard copy with a 
traditional signature or issued electronically signed with a DoD public key 
infrastructure-certified digital signature. 

[U) Approval to Connect. A formal statement by the Connection Approval Office 
granting approval for an information system to connect to the DISN. The Approval to 
Connect cannot be granted for longer than the period of validity of the associated ATO. 
An ATO may be issued for up to 3 years. An Approval to Connect will not be granted 
based on an Interim ATO. 

(U] Artifacts. System policies, documentation, plans test procedures, test results and 
other evidence that express or enforce the 1A posture of the DoD information system, 
make up the certification and accreditation information, and provide evidence of 
compliance with the assigned lA controls. 

(U) Authorization to Operate (ATO). Authorization granted by a designated 
accrediting authority for a DoD information system to process, store, or transmit 
information; an ATO indicates a DoD information system has adequately implemented 
all assigned lA controls to the point where residual risk is acceptable to the designated 
accrediting authority. ATOs may be issued for up to 3 years. 

(U) Category (CAT) I Severity. Assigned to findings that allow primary security 
protections to be bypassed, allowing immediate access by unauthorized personnel or 
unauthorized assumptions of super-user privileges. An ATO will not be granted while 
CAT I weaknesses are present. 

(U) Category (CAT) II Severity. Assigned to findings that have a potential to lead to 
unauthorized system access or activity. CAT II findings that have been satisfactorily 
mitigated will not prevent an ATO from being granted. 
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(U) Certification Determination. A certifying authority’s determination of the degree 
to which a system complies with assigned (A controls based on validation results. It 
identifies and assesses the residual risk with operating a system and the costs to correct 
or mitigate lA vulnerabilities as documented in the IT Security POA&M. 

[U) Classified Transport Boundary. A physical or logical perimeter of a system that 
conveys classified information from one location to another and requires protection. 

CU) Cross-Domain Solution. A form of controlled interface that provides the ability 
to manually or automatically access and transfer information between different 
security domains. 

(U) Denial of Authorization to Operate. A designated accrediting authority decision 
that a DoD information system cannot operate because of an inadequate lA design, 
failure to adequately implement assigned lA controls, or other lack of adequate 
security. If the system is already operational, the operation of the system is halted. 

(U) DIACAP Implementation Plan. Contains the information system's assigned lA 
controls. The plan also includes the implementation status, responsible entities, 
resources, and the estimated completion date for each assigned lA control. The plan 
may reference applicable supporting implementation material and artifacts. 

(U] DIACAP Scorecard. A summary report that succinctly conveys information on the 
lA security posture of a DoD information system in a format that can be exchanged 
electronically. It shows the implementation status of a DoD information system's 
assigned lA controls, non compliant, or not applicable as well as the certification and 
accreditation status. 

(U] Domain. An environment or context that includes a set of system resources and a 
set of system entities that have the right to access the resources as defined by a 
common security policy, security model, or security architecture. 

(U) Encrypted Tunnel. An encrypted tunnel sends secure information between 
networks by encapsulating network protocols within packets. 

CD) Interim Authorization to Operate. Temporary authorization granted by the 
designated accrediting authority to operate a DoD information system under the 
conditions or constraints enumerated in the accreditation decision. 
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[U) Network Topology. Depicts the security posture of the network esiclave that will 
be connecting to the DISN. 

(U) Plan of Action and Milestones (POA&M). A permanent record that identifies 
tasks to be accomplished in order to resolve vulnerabilities; required for any 
accreditation decision that requires corrective actions, it specifies resources required to 
accomplish the tasks enumerated in the plan and milestones for completing the tasks; 
also used to document designated accrediting authority accepted non compliant lA 
controls and baseline lA controls that are not applicable. An IT Security POA&M may be 
active or inactive throughout a system's life cycle as weaknesses are newly identified 
or closed. 

(U) Protected Distribution System (PDS). A system used to transmit encrypted 
classified National Security Information through an area of lesser classification 
or control. 

(U) Security Posture. The security status of an enterprise's networks, information, and 
systems based on lA resources and capabilities in place to manage the defense of the 
enterprise and to react as the situation changes. 

(U] Severity Codes. The category assigned to a system lA vulnerability by a Certifying 
Authority as part of certification analysis to indicate the risk level associated with the 
lA vulnerability and the urgency with which the corrective action must be completed. 
Severity categories are expressed as CAT I, CAT II, or CAT ill, with CAT I indicating the 
greatest risk and urgency. 

(li) System Identification Profile. A compiled list of system characteristics or 
qualities required to register an information system with the governing DoD 
Component lA program. 

(U) Validation. Confirmation that requirements for a specific intended use or 
application have been fulfilled. 
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(U) Annex 


(U) Sources 

(rouo) Source 1: DoD Instruction 0-3600.02, “Information Operations (10) Security 
Classification Guide," November 28,2005 (Document f a i ' Official Ujh Only ) 



Declassify On: 20371105 
Date of Source: November 5,2012 



Declassify On: 20371102 
Date of Source; November 2,2012 



(Document classified S ecret) 


Declassify On: 20220323 
Date of Source: May 4,2012 
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(U) Acronyms and Abbreviations 


ATO 

CAT 

CDSA 

CIO 

DOCIO(N) 

DIACAP 

DISA 

DISN 

DoDI 

Doom 

DON 


Authorization to Operate 
Category 

Cross-Domain Solution Authorization 
Chief Information Officer 

Department of the Navy Deputy Chief Information Officer (Navy) 

Defense Information Assurance Certification and Accreditation Process 

Defense Information Systems Agency 

Defense Information Systems Network 

OoD Instruction 

DoD Manual 

Department of the Navy 



lA Information Assurance 
lAM information. Assurance Manager 


IT Irvformation Technology 
NATO North Atlantic Treaty Organization 
NMCt Navy Marine Corps intranet 
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ODAA Operational Designated Accrediting Authority 
PDS Protected Distribution System 
POA&M Plan of Action and Milestones 
SAAR-N System Access Authorization Request Navy 
SIPRNET Secret Internet Protocol Router Network 
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Whistleblower Protection 

U.S. Department of Defense 

The Whistleblower Protection Enhancement Act of 2012 requites 
the Inspector General to designate a Whistleblower Protection 
Ombudsman to educate agency employees about prohibitions 
on retaliation, and rights and remedies against retaliation for 
protected disclosures. The designated ombudsman is the DoD Hotline 
Director. For more information on your rights and remedies against 
retaliation, visit www.dodig.mil/programs/wbistleblower. 


For more information about DoD IG 
reports or activities, please contact us: 

Congressional Liaison 
congressional@dodig.mtl; 703.604.8324 

Media Contact 

public.affairs@dodig.mil; 703.604.8324 
Monthly Update 

dodigconnect-request@listserve.com 

Reports Mailing List 
dodig_report@listserve.com 

Twitter 

twitter, com/Do D_IG 

DoD Hotline 
dodig.mil/hotline 
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DEPARTMENT OF DEFENSE | INSPECTOR GENERAL 

4800 Mark Center Drive 
Alexandria, VA 22350-1501) 
vwvw.dodlg.mil 

Defense Hotline l.BOU.424.9098 
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